The public is taking an increasing interest in ensuring that IT assets of federal agencies are protected from cybersecurity attacks. FISMA is addressing this concern, in part, by initiating a standard setting process for continuous monitoring.

The actions taken by NIST for the federal sector could have a very significant impact on the private sector because pending legislation would provide the federal government with the authority to mandate cybesecurity measures on the private sector.

The National Telecommunications and Information Administration (NTIA) recently issued a Notice of Inquiry to solicit the views of the public on the impacts of mandating public sector cyber controls on the private sector; please see this post .

FISMA standards, as discussed on this Interactive Public Docket (IPD), apply to IT systems owned by the federal government. Legislation under consideration, however, would give the U. S. Government the authority to mandate cybersecurity standards on the private sector.

For this reason actions taken during the FISMA standard process, the subject of this IPD, are of particular interest to the private sector.

The Department of Commerce, acting through its National Telecommunications and Information Administration (NTIA), addressed the topic of cybersecurity in the private sector in a Notice of Inquiry (NOI) published in the Federal Register on July 28, 2010. See the attachment hereto.

NASA’s Inspector General highlighted the importance of cybersecurity to the agency as well as the agency’s cybersecurity shortcomings in a Memorandum on Top Management and Performance Challenges.

In the document, the IG notes that although “most NASA IT systems contain data that may be widely shared, others house sensitive information which, if released or stolen, could result in significant financial loss or adversely affect national security.”

Unfortunately, the IG found that NASA’s,

CIO has limited ability to direct NASA’s Mission Directorates to fully implement IT security programs, and consequently key Agency computer networks and systems operated by the Mission Directorates do not consistently comply with Agency-wide IT policy.

The Center for Strategic and International Studies (CSIS) has released a study explaining the nation’s need to substantially increase the number of highly skilled cybersecurity specialists.

The report, Human Capital Crisis in Cybersecurity: Technical Proficiency Matters, cites a 2007 House Homeland Security Committee hearing to illustrate agency need for cybersecurity staff. Witnesses from the Dpeartments of State and Commerce testified that their respective systems were penetrated by “zero-day” attacks (exploiting vulnerabilities for which there was no patch). The Commerce witness stated he did not know when the attack first ocurred and it “had spread to at least 32 systems, all of which were connecting to servers in China.” By contrast, the State Department official testified that the attack on his agency’s systems was detected moments after it occured, the system was cleaned and the attack was stopped.